Print this page
15254 %ymm registers not restored after signal handler
15367 x86 getfpregs() summons corrupting %xmm ghosts
15333 want x86 /proc xregs support (libc_db, libproc, mdb, etc.)
15336 want libc functions for extended ucontext_t
15334 want ps_lwphandle-specific reg routines
15328 FPU_CW_INIT mistreats reserved bit
15335 i86pc fpu_subr.c isn't really platform-specific
15332 setcontext(2) isn't actually noreturn
15331 need <sys/stdalign.h>
Change-Id: I7060aa86042dfb989f77fc3323c065ea2eafa9ad
Conflicts:
usr/src/uts/common/fs/proc/prcontrol.c
usr/src/uts/intel/os/archdep.c
usr/src/uts/intel/sys/ucontext.h
usr/src/uts/intel/syscall/getcontext.c
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/os/priv.c
+++ new/usr/src/uts/common/os/priv.c
1 1 /*
2 2 * CDDL HEADER START
3 3 *
4 4 * The contents of this file are subject to the terms of the
5 5 * Common Development and Distribution License (the "License").
6 6 * You may not use this file except in compliance with the License.
7 7 *
8 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 9 * or http://www.opensolaris.org/os/licensing.
10 10 * See the License for the specific language governing permissions
11 11 * and limitations under the License.
12 12 *
13 13 * When distributing Covered Code, include this CDDL HEADER in each
14 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 15 * If applicable, add the following below this CDDL HEADER, with the
16 16 * fields enclosed by brackets "[]" replaced with your own identifying
17 17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 18 *
19 19 * CDDL HEADER END
20 20 */
21 21 /*
22 22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 23 * Use is subject to license terms.
24 24 */
25 25
26 26 /*
27 27 * Privilege implementation.
28 28 *
29 29 * This file provides the infrastructure for privilege sets and limits
30 30 * the number of files that requires to include <sys/cred_impl.h> and/or
31 31 * <sys/priv_impl.h>.
32 32 *
33 33 * The Solaris privilege mechanism has been designed in a
34 34 * future proof manner. While the kernel may use fixed size arrays
35 35 * and fixed bitmasks and bit values, the representation of those
36 36 * is kernel private. All external interfaces as well as K-to-K interfaces
37 37 * have been constructed in a manner to provide the maximum flexibility.
38 38 *
39 39 * There can be X privilege sets each containing Y 32 bit words.
40 40 * <X, Y> are constant for a kernel invocation.
41 41 *
42 42 * As a consequence, all privilege set manipulation happens in functions
43 43 * below.
44 44 *
45 45 */
46 46
47 47 #include <sys/systm.h>
48 48 #include <sys/ddi.h>
49 49 #include <sys/kmem.h>
50 50 #include <sys/sunddi.h>
51 51 #include <sys/errno.h>
52 52 #include <sys/debug.h>
53 53 #include <sys/priv_impl.h>
54 54 #include <sys/procfs.h>
55 55 #include <sys/policy.h>
56 56 #include <sys/cred_impl.h>
57 57 #include <sys/devpolicy.h>
58 58 #include <sys/atomic.h>
59 59
60 60 /*
61 61 * Privilege name to number mapping table consists in the generated
62 62 * priv_const.c file. This lock protects against updates of the privilege
63 63 * names and counts; all other priv_info fields are read-only.
64 64 * The actual protected values are:
65 65 * global variable nprivs
66 66 * the priv_max field
67 67 * the priv_names field
68 68 * the priv names info item (cnt/strings)
69 69 */
70 70 krwlock_t privinfo_lock;
71 71
72 72 static boolean_t priv_valid(const cred_t *);
73 73
74 74 priv_set_t priv_fullset; /* set of all privileges */
75 75 priv_set_t priv_unsafe; /* unsafe to exec set-uid root if these are not in L */
76 76
77 77 /*
78 78 * Privilege initialization functions.
79 79 * Called from common/os/cred.c when cred_init is called.
80 80 */
81 81
82 82 void
83 83 priv_init(void)
84 84 {
85 85 #ifdef DEBUG
86 86 int alloc_test_priv = 1;
87 87 #else
88 88 int alloc_test_priv = priv_debug;
89 89 #endif
90 90 rw_init(&privinfo_lock, NULL, RW_DRIVER, NULL);
91 91
92 92 PRIV_BASIC_ASSERT(priv_basic);
93 93 PRIV_UNSAFE_ASSERT(&priv_unsafe);
94 94 priv_fillset(&priv_fullset);
95 95
96 96 /*
97 97 * When booting with priv_debug set or in a DEBUG kernel, then we'll
98 98 * add an additional basic privilege and we verify that it is always
99 99 * present in E.
100 100 */
101 101 if (alloc_test_priv != 0 &&
102 102 (priv_basic_test = priv_getbyname("basic_test", PRIV_ALLOC)) >= 0) {
103 103 priv_addset(priv_basic, priv_basic_test);
104 104 }
|
↓ open down ↓ |
104 lines elided |
↑ open up ↑ |
105 105
106 106 devpolicy_init();
107 107 }
108 108
109 109 /* Utility functions: privilege sets as opaque data types */
110 110
111 111 /*
112 112 * Guts of prgetprivsize.
113 113 */
114 114 int
115 -priv_prgetprivsize(prpriv_t *tmpl)
115 +priv_prgetprivsize(const prpriv_t *tmpl)
116 116 {
117 117 return (sizeof (prpriv_t) +
118 118 PRIV_SETBYTES - sizeof (priv_chunk_t) +
119 119 (tmpl ? tmpl->pr_infosize : priv_info->priv_infosize));
120 120 }
121 121
122 122 /*
123 123 * Guts of prgetpriv.
124 124 */
125 125 void
126 126 cred2prpriv(const cred_t *cp, prpriv_t *pr)
127 127 {
128 128 priv_set_t *psa;
129 129 int i;
130 130
131 131 pr->pr_nsets = PRIV_NSET;
132 132 pr->pr_setsize = PRIV_SETSIZE;
133 133 pr->pr_infosize = priv_info->priv_infosize;
134 134
135 135 psa = (priv_set_t *)pr->pr_sets;
136 136
137 137 for (i = 0; i < PRIV_NSET; i++)
138 138 psa[i] = *priv_getset(cp, i);
139 139
140 140 priv_getinfo(cp, (char *)pr + PRIV_PRPRIV_INFO_OFFSET(pr));
141 141 }
142 142
143 143 /*
144 144 * Guts of pr_spriv:
145 145 *
146 146 * Set the privileges of a process.
147 147 *
148 148 * In order to set the privileges, the setting process will need to
149 149 * have those privileges in its effective set in order to prevent
150 150 * specially privileged processes to easily gain additional privileges.
151 151 * Pre-existing privileges can be retained. To change any privileges,
152 152 * PRIV_PROC_OWNER needs to be asserted.
153 153 *
154 154 * In formula:
155 155 *
156 156 * S' <= S || S' <= S + Ea
157 157 *
158 158 * the new set must either be subset of the old set or a subset of
159 159 * the oldset merged with the effective set of the acting process; or just:
160 160 *
161 161 * S' <= S + Ea
162 162 *
163 163 * It's not legal to grow the limit set this way.
164 164 *
165 165 */
166 166 int
167 167 priv_pr_spriv(proc_t *p, prpriv_t *prpriv, const cred_t *cr)
168 168 {
169 169 cred_t *oldcred;
170 170 cred_t *newcred;
171 171 int i;
172 172 int err = EPERM;
173 173 cred_priv_t *cp, *ocp;
174 174 priv_set_t eset;
175 175
176 176 ASSERT(MUTEX_HELD(&p->p_lock));
177 177
178 178 /*
179 179 * Set must have proper dimension; infosize must be absent
180 180 * or properly sized.
181 181 */
182 182 if (prpriv->pr_nsets != PRIV_NSET ||
183 183 prpriv->pr_setsize != PRIV_SETSIZE ||
184 184 (prpriv->pr_infosize & (sizeof (uint32_t) - 1)) != 0 ||
185 185 prpriv->pr_infosize > priv_info->priv_infosize)
186 186 return (EINVAL);
187 187
188 188 mutex_exit(&p->p_lock);
189 189
190 190 if (priv_proc_cred_perm(cr, p, &oldcred, VWRITE) != 0) {
191 191 mutex_enter(&p->p_lock);
192 192 return (EPERM);
193 193 }
194 194
195 195 newcred = crdup(oldcred);
196 196
197 197 /* Copy the privilege sets from prpriv to newcred */
198 198 bcopy(prpriv->pr_sets, CR_PRIVSETS(newcred), PRIV_SETBYTES);
199 199
200 200 cp = &newcred->cr_priv;
201 201 ocp = &oldcred->cr_priv;
202 202 eset = CR_OEPRIV(cr);
203 203
204 204 priv_intersect(&CR_LPRIV(oldcred), &eset);
205 205
206 206 /*
207 207 * Verify the constraints laid out:
208 208 * for the limit set, we require that the new set is a subset
209 209 * of the old limit set.
210 210 * for all other sets, we require that the new set is either a
211 211 * subset of the old set or a subset of the intersection of
212 212 * the old limit set and the effective set of the acting process.
213 213 */
214 214 for (i = 0; i < PRIV_NSET; i++)
215 215 if (!priv_issubset(&cp->crprivs[i], &ocp->crprivs[i]) &&
216 216 (i == PRIV_LIMIT || !priv_issubset(&cp->crprivs[i], &eset)))
217 217 break;
218 218
219 219 crfree(oldcred);
220 220
221 221 if (i < PRIV_NSET || !priv_valid(newcred))
222 222 goto err;
223 223
224 224 /* Load the settable privilege information */
225 225 if (prpriv->pr_infosize > 0) {
226 226 char *x = (char *)prpriv + PRIV_PRPRIV_INFO_OFFSET(prpriv);
227 227 char *lastx = x + prpriv->pr_infosize;
228 228
229 229 while (x < lastx) {
230 230 priv_info_t *pi = (priv_info_t *)x;
231 231 priv_info_uint_t *pii;
232 232
233 233 switch (pi->priv_info_type) {
234 234 case PRIV_INFO_FLAGS:
235 235 pii = (priv_info_uint_t *)x;
236 236 if (pii->info.priv_info_size != sizeof (*pii)) {
237 237 err = EINVAL;
238 238 goto err;
239 239 }
240 240 CR_FLAGS(newcred) &= ~PRIV_USER;
241 241 CR_FLAGS(newcred) |= (pii->val & PRIV_USER);
242 242 break;
243 243 default:
244 244 err = EINVAL;
245 245 goto err;
246 246 }
247 247 /* Guarantee alignment and forward progress */
248 248 if ((pi->priv_info_size & (sizeof (uint32_t) - 1)) ||
249 249 pi->priv_info_size < sizeof (*pi) ||
250 250 lastx - x > pi->priv_info_size) {
251 251 err = EINVAL;
252 252 goto err;
253 253 }
254 254
255 255 x += pi->priv_info_size;
256 256 }
257 257 }
258 258
259 259 /*
260 260 * We'll try to copy the privilege aware flag; but since the
261 261 * privileges sets are all individually set, they are set
262 262 * as if we're privilege aware. If PRIV_AWARE wasn't set
263 263 * or was explicitely unset, we need to set the flag and then
264 264 * try to get rid of it.
265 265 */
266 266 if ((CR_FLAGS(newcred) & PRIV_AWARE) == 0) {
267 267 CR_FLAGS(newcred) |= PRIV_AWARE;
268 268 priv_adjust_PA(newcred);
269 269 }
270 270
271 271 mutex_enter(&p->p_crlock);
272 272 oldcred = p->p_cred;
273 273 p->p_cred = newcred;
274 274 mutex_exit(&p->p_crlock);
275 275 crfree(oldcred);
276 276
277 277 mutex_enter(&p->p_lock);
278 278 return (0);
279 279
280 280 err:
281 281 crfree(newcred);
282 282 mutex_enter(&p->p_lock);
283 283 return (err);
284 284 }
285 285
286 286 priv_impl_info_t
287 287 *priv_hold_implinfo(void)
288 288 {
289 289 rw_enter(&privinfo_lock, RW_READER);
290 290 return (priv_info);
291 291 }
292 292
293 293 void
294 294 priv_release_implinfo(void)
295 295 {
296 296 rw_exit(&privinfo_lock);
297 297 }
298 298
299 299 size_t
300 300 priv_get_implinfo_size(void)
301 301 {
302 302 return (privinfosize);
303 303 }
304 304
305 305
306 306 /*
307 307 * Return the nth privilege set
308 308 */
309 309 const priv_set_t *
310 310 priv_getset(const cred_t *cr, int set)
311 311 {
312 312 ASSERT(PRIV_VALIDSET(set));
313 313
314 314 if ((CR_FLAGS(cr) & PRIV_AWARE) == 0)
315 315 switch (set) {
316 316 case PRIV_EFFECTIVE:
317 317 return (&CR_OEPRIV(cr));
318 318 case PRIV_PERMITTED:
319 319 return (&CR_OPPRIV(cr));
320 320 }
321 321 return (&CR_PRIVS(cr)->crprivs[set]);
322 322 }
323 323
324 324 /*
325 325 * Buf must be allocated by caller and contain sufficient space to
326 326 * contain all additional info structures using priv_info.priv_infosize.
327 327 * The buffer must be properly aligned.
328 328 */
329 329 /*ARGSUSED*/
330 330 void
331 331 priv_getinfo(const cred_t *cr, void *buf)
332 332 {
333 333 struct priv_info_uint *ii;
334 334
335 335 ii = buf;
336 336 ii->val = CR_FLAGS(cr);
337 337 ii->info.priv_info_size = (uint32_t)sizeof (*ii);
338 338 ii->info.priv_info_type = PRIV_INFO_FLAGS;
339 339 }
340 340
341 341 int
342 342 priv_getbyname(const char *name, uint_t flag)
343 343 {
344 344 int i;
345 345 int wheld = 0;
346 346 int len;
347 347 char *p;
348 348
349 349 if (flag != 0 && flag != PRIV_ALLOC)
350 350 return (-EINVAL);
351 351
352 352 if (strncasecmp(name, "priv_", 5) == 0)
353 353 name += 5;
354 354
355 355 rw_enter(&privinfo_lock, RW_READER);
356 356 rescan:
357 357 for (i = 0; i < nprivs; i++)
358 358 if (strcasecmp(priv_names[i], name) == 0) {
359 359 rw_exit(&privinfo_lock);
360 360 return (i);
361 361 }
362 362
363 363
364 364 if (!wheld) {
365 365 if (!(flag & PRIV_ALLOC)) {
366 366 rw_exit(&privinfo_lock);
367 367 return (-EINVAL);
368 368 }
369 369
370 370 /* check length, validity and available space */
371 371 len = strlen(name) + 1;
372 372
373 373 if (len > PRIVNAME_MAX) {
374 374 rw_exit(&privinfo_lock);
375 375 return (-ENAMETOOLONG);
376 376 }
377 377
378 378 for (p = (char *)name; *p != '\0'; p++) {
379 379 char c = *p;
380 380
381 381 if (!((c >= 'A' && c <= 'Z') ||
382 382 (c >= 'a' && c <= 'z') ||
383 383 (c >= '0' && c <= '9') ||
384 384 c == '_')) {
385 385 rw_exit(&privinfo_lock);
386 386 return (-EINVAL);
387 387 }
388 388 }
389 389
390 390 if (!rw_tryupgrade(&privinfo_lock)) {
391 391 rw_exit(&privinfo_lock);
392 392 rw_enter(&privinfo_lock, RW_WRITER);
393 393 wheld = 1;
394 394 /* Someone may have added our privilege */
395 395 goto rescan;
396 396 }
397 397 }
398 398
399 399 if (nprivs == MAX_PRIVILEGE || len + privbytes > maxprivbytes) {
400 400 rw_exit(&privinfo_lock);
401 401 return (-ENOMEM);
402 402 }
403 403
404 404 priv_names[i] = p = priv_str + privbytes;
405 405
406 406 bcopy(name, p, len);
407 407
408 408 /* make the priv_names[i] and privilege name globally visible */
409 409 membar_producer();
410 410
411 411 /* adjust priv count and bytes count */
412 412 priv_ninfo->cnt = priv_info->priv_max = ++nprivs;
413 413 privbytes += len;
414 414
415 415 rw_exit(&privinfo_lock);
416 416 return (i);
417 417 }
418 418
419 419 /*
420 420 * We can't afford locking the privileges here because of the locations
421 421 * we call this from; so we make sure that the privileges table
422 422 * is visible to us; it is made visible before the value of nprivs is
423 423 * updated.
424 424 */
425 425 const char *
426 426 priv_getbynum(int priv)
427 427 {
428 428 int maxpriv = nprivs;
429 429
430 430 membar_consumer();
431 431
432 432 if (priv >= 0 && priv < maxpriv)
433 433 return (priv_names[priv]);
434 434
435 435 return (NULL);
436 436 }
437 437
438 438 const char *
439 439 priv_getsetbynum(int setno)
440 440 {
441 441 if (!PRIV_VALIDSET(setno))
442 442 return (NULL);
443 443
444 444 return (priv_setnames[setno]);
445 445 }
446 446
447 447 /*
448 448 * Privilege sanity checking when setting: E <= P.
449 449 */
450 450 static boolean_t
451 451 priv_valid(const cred_t *cr)
452 452 {
453 453 return (priv_issubset(&CR_EPRIV(cr), &CR_PPRIV(cr)));
454 454 }
455 455
456 456 /*
457 457 * Privilege manipulation functions
458 458 *
459 459 * Without knowing the details of the privilege set implementation,
460 460 * opaque pointers can be used to manipulate sets at will.
461 461 */
462 462 void
463 463 priv_emptyset(priv_set_t *set)
464 464 {
465 465 bzero(set, sizeof (*set));
466 466 }
467 467
468 468 void
469 469 priv_fillset(priv_set_t *set)
470 470 {
471 471 int i;
472 472
473 473 /* memset? */
474 474 for (i = 0; i < PRIV_SETSIZE; i++)
475 475 set->pbits[i] = ~(priv_chunk_t)0;
476 476 }
477 477
478 478 void
479 479 priv_addset(priv_set_t *set, int priv)
480 480 {
481 481 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
482 482 __PRIV_ASSERT(set, priv);
483 483 }
484 484
485 485 void
486 486 priv_delset(priv_set_t *set, int priv)
487 487 {
488 488 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
489 489 __PRIV_CLEAR(set, priv);
490 490 }
491 491
492 492 boolean_t
493 493 priv_ismember(const priv_set_t *set, int priv)
494 494 {
495 495 ASSERT(priv >= 0 && priv < MAX_PRIVILEGE);
496 496 return (__PRIV_ISASSERT(set, priv) ? B_TRUE : B_FALSE);
497 497 }
498 498
499 499 #define PRIV_TEST_BODY(test) \
500 500 int i; \
501 501 \
502 502 for (i = 0; i < PRIV_SETSIZE; i++) \
503 503 if (!(test)) \
504 504 return (B_FALSE); \
505 505 \
506 506 return (B_TRUE)
507 507
508 508 boolean_t
509 509 priv_isequalset(const priv_set_t *a, const priv_set_t *b)
510 510 {
511 511 return ((boolean_t)(bcmp(a, b, sizeof (*a)) == 0));
512 512 }
513 513
514 514 boolean_t
515 515 priv_isemptyset(const priv_set_t *set)
516 516 {
517 517 PRIV_TEST_BODY(set->pbits[i] == 0);
518 518 }
519 519
520 520 boolean_t
521 521 priv_isfullset(const priv_set_t *set)
522 522 {
523 523 PRIV_TEST_BODY(set->pbits[i] == ~(priv_chunk_t)0);
524 524 }
525 525
526 526 /*
527 527 * Return true if a is a subset of b
528 528 */
529 529 boolean_t
530 530 priv_issubset(const priv_set_t *a, const priv_set_t *b)
531 531 {
532 532 PRIV_TEST_BODY((a->pbits[i] | b->pbits[i]) == b->pbits[i]);
533 533 }
534 534
535 535 #define PRIV_CHANGE_BODY(a, op, b) \
536 536 int i; \
537 537 \
538 538 for (i = 0; i < PRIV_SETSIZE; i++) \
539 539 a->pbits[i] op b->pbits[i]
540 540
541 541 /* B = A ^ B */
542 542 void
543 543 priv_intersect(const priv_set_t *a, priv_set_t *b)
544 544 {
545 545 /* CSTYLED */
546 546 PRIV_CHANGE_BODY(b, &=, a);
547 547 }
548 548
549 549 /* B = A v B */
550 550 void
551 551 priv_union(const priv_set_t *a, priv_set_t *b)
552 552 {
553 553 /* CSTYLED */
554 554 PRIV_CHANGE_BODY(b, |=, a);
555 555 }
556 556
557 557 /* A = ! A */
558 558 void
559 559 priv_inverse(priv_set_t *a)
560 560 {
561 561 PRIV_CHANGE_BODY(a, = ~, a);
562 562 }
563 563
564 564 /*
565 565 * Can the source cred act on the target credential?
566 566 *
567 567 * We will you allow to gain uids this way but not privileges.
568 568 */
569 569 int
570 570 priv_proc_cred_perm(const cred_t *scr, proc_t *tp, cred_t **pcr, int mode)
571 571 {
572 572 const priv_set_t *eset;
573 573 int idsmatch;
574 574 cred_t *tcr;
575 575 int res = 0;
576 576
577 577 /* prevent the cred from going away */
578 578 mutex_enter(&tp->p_crlock);
579 579 crhold(tcr = tp->p_cred);
580 580 mutex_exit(&tp->p_crlock);
581 581
582 582 if (scr == tcr && !(tp->p_flag & SNOCD))
583 583 goto out;
584 584
585 585 idsmatch = (scr->cr_uid == tcr->cr_uid &&
586 586 scr->cr_uid == tcr->cr_ruid &&
587 587 scr->cr_uid == tcr->cr_suid &&
588 588 scr->cr_gid == tcr->cr_gid &&
589 589 scr->cr_gid == tcr->cr_rgid &&
590 590 scr->cr_gid == tcr->cr_sgid &&
591 591 !(tp->p_flag & SNOCD));
592 592
593 593 /*
594 594 * Source credential must have the proc_zone privilege if referencing
595 595 * a process in another zone.
596 596 */
597 597 if (scr->cr_zone != tcr->cr_zone && secpolicy_proc_zone(scr) != 0) {
598 598 res = EACCES;
599 599 goto out;
600 600 }
601 601
602 602 if (!(mode & VWRITE)) {
603 603 if (!idsmatch && secpolicy_proc_owner(scr, tcr, 0) != 0)
604 604 res = EACCES;
605 605 goto out;
606 606 }
607 607
608 608 /*
609 609 * For writing, the effective set of scr must dominate all sets of tcr,
610 610 * We test Pt <= Es (Et <= Pt so no need to test) and It <= Es
611 611 * The Limit set of scr must be a superset of the limitset of
612 612 * tcr.
613 613 */
614 614 eset = &CR_OEPRIV(scr);
615 615
616 616 if (!priv_issubset(&CR_IPRIV(tcr), eset) ||
617 617 !priv_issubset(&CR_OPPRIV(tcr), eset) ||
618 618 !priv_issubset(&CR_LPRIV(tcr), &CR_LPRIV(scr)) ||
619 619 !idsmatch && secpolicy_proc_owner(scr, tcr, mode) != 0)
620 620 res = EACCES;
621 621
622 622 out:
623 623 if (res == 0 && pcr != NULL)
624 624 *pcr = tcr;
625 625 else
626 626 crfree(tcr);
627 627 return (res);
628 628 }
629 629
630 630 /*
631 631 * Set the privilege aware bit, adding L to E/P if necessary.
632 632 * Each time we set it, we also clear PRIV_AWARE_RESET.
633 633 */
634 634 void
635 635 priv_set_PA(cred_t *cr)
636 636 {
637 637 ASSERT(cr->cr_ref <= 2);
638 638
639 639 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) == PRIV_AWARE)
640 640 return;
641 641
642 642 CR_FLAGS(cr) |= PRIV_AWARE;
643 643 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
644 644
645 645 if (cr->cr_uid == 0)
646 646 priv_union(&CR_LPRIV(cr), &CR_EPRIV(cr));
647 647
648 648 if (cr->cr_uid == 0 || cr->cr_suid == 0 || cr->cr_ruid == 0)
649 649 priv_union(&CR_LPRIV(cr), &CR_PPRIV(cr));
650 650 }
651 651
652 652 boolean_t
653 653 priv_can_clear_PA(const cred_t *cr)
654 654 {
655 655 /*
656 656 * We can clear PA in the following cases:
657 657 *
658 658 * None of the uids are 0.
659 659 * Any uid == 0 and P == L and (Euid != 0 or E == L)
660 660 */
661 661 return ((cr->cr_suid != 0 && cr->cr_ruid != 0 && cr->cr_uid != 0) ||
662 662 priv_isequalset(&CR_PPRIV(cr), &CR_LPRIV(cr)) &&
663 663 (cr->cr_uid != 0 || priv_isequalset(&CR_EPRIV(cr), &CR_LPRIV(cr))));
664 664 }
665 665
666 666 /*
667 667 * Clear privilege aware bit if it is an idempotent operation and by
668 668 * clearing it the process cannot get to uid 0 and all privileges.
669 669 *
670 670 * This function should be called with caution as it may cause "E" to be
671 671 * lost once a processes assumes euid 0 again.
672 672 */
673 673 void
674 674 priv_adjust_PA(cred_t *cr)
675 675 {
676 676 ASSERT(cr->cr_ref <= 2);
677 677
678 678 if (!(CR_FLAGS(cr) & PRIV_AWARE) ||
679 679 !priv_can_clear_PA(cr)) {
680 680 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
681 681 return;
682 682 }
683 683
684 684 if (CR_FLAGS(cr) & PRIV_AWARE_INHERIT)
685 685 return;
686 686
687 687 /*
688 688 * We now need to adjust P/E in those cases when uids
689 689 * are zero; the rules are P' = I & L, E' = I & L;
690 690 * but since P = L and E = L, we can use P &= I, E &= I,
691 691 * depending on which uids are 0.
692 692 */
693 693 if (cr->cr_suid == 0 || cr->cr_ruid == 0 || cr->cr_uid == 0) {
694 694 if (cr->cr_uid == 0)
695 695 priv_intersect(&CR_IPRIV(cr), &CR_EPRIV(cr));
696 696 priv_intersect(&CR_IPRIV(cr), &CR_PPRIV(cr));
697 697 }
698 698
699 699 CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET);
700 700 }
701 701
702 702 /*
703 703 * Reset privilege aware bit if so requested by setting the PRIV_AWARE_RESET
704 704 * flag.
705 705 */
706 706 void
707 707 priv_reset_PA(cred_t *cr, boolean_t finalize)
708 708 {
709 709 ASSERT(cr->cr_ref <= 2);
710 710
711 711 if ((CR_FLAGS(cr) & (PRIV_AWARE|PRIV_AWARE_RESET)) !=
712 712 (PRIV_AWARE|PRIV_AWARE_RESET)) {
713 713 CR_FLAGS(cr) &= ~PRIV_AWARE_RESET;
714 714 return;
715 715 }
716 716
717 717 /*
718 718 * When PRIV_AWARE_RESET is enabled, any change of uids causes
719 719 * a change to the P and E sets. Bracketing with
720 720 * seteuid(0) ... seteuid(uid)/setreuid(-1, 0) .. setreuid(-1, uid)
721 721 * will cause the privilege sets "do the right thing.".
722 722 * When the change of the uid is "final", e.g., by using setuid(uid),
723 723 * or setreuid(uid, uid) or when the last set*uid() call causes all
724 724 * uids to be the same, we set P and E to I & L, like when you exec.
725 725 * We make an exception when all the uids are 0; this is required
726 726 * when we login as root as in that particular case we cannot
727 727 * make a distinction between seteuid(0) and seteuid(uid).
728 728 * We rely on seteuid/setreuid/setuid to tell us with the
729 729 * "finalize" argument that we no longer expect new uid changes,
730 730 * cf. setreuid(uid, uid) and setuid(uid).
731 731 */
732 732 if (cr->cr_suid == cr->cr_ruid && cr->cr_suid == cr->cr_uid) {
733 733 if (finalize || cr->cr_uid != 0) {
734 734 CR_EPRIV(cr) = CR_IPRIV(cr);
735 735 priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr));
736 736 CR_PPRIV(cr) = CR_EPRIV(cr);
737 737 CR_FLAGS(cr) &= ~(PRIV_AWARE|PRIV_AWARE_RESET);
738 738 } else {
739 739 CR_EPRIV(cr) = CR_PPRIV(cr);
740 740 }
741 741 } else if (cr->cr_uid != 0 && (cr->cr_ruid == 0 || cr->cr_suid == 0)) {
742 742 CR_EPRIV(cr) = CR_IPRIV(cr);
743 743 priv_intersect(&CR_LPRIV(cr), &CR_EPRIV(cr));
744 744 }
745 745 }
|
↓ open down ↓ |
620 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX